On the Adversarial Robustness of Out-of-distribution Generalization Models
Authors: Xin Zou, Weiwei Liu
NeurIPS 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We first present theoretical analyses of OOD adversarial robustness in two different complementary settings. Motivated by the theoretical results, we design two algorithms to improve the OOD adversarial robustness. Finally, we conduct experiments to validate the effectiveness of our proposed algorithms. |
| Researcher Affiliation | Academia | Xin Zou Weiwei Liu School of Computer Science, Wuhan University National Engineering Research Center for Multimedia Software, Wuhan University Institute of Artificial Intelligence, Wuhan University Hubei Key Laboratory of Multimedia and Network Communication Engineering, Wuhan University |
| Pseudocode | Yes | Algorithm 1 RDANN |
| Open Source Code | Yes | Our code is available at https://github.com/Zou Xinn/OOD-Adv. |
| Open Datasets | Yes | The datasets we use are Rotated MNIST [21], Colored MNIST [4], VLCS [15], PACS [38], and Office Home [62]. |
| Dataset Splits | Yes | We use part of the training data as the validation set to select the best model of the 20 runs according to the adversarial robustness of the training environments. |
| Hardware Specification | No | The paper mentions general architectures like CNN and ResNet-50, but it does not provide specific hardware details such as GPU or CPU models, memory specifications, or cloud computing instance types used for experiments. |
| Software Dependencies | No | The paper mentions using "torchattacks [32]" for realizing attacks, but it does not specify any version numbers for this or any other software dependencies, which is required for a reproducible description. |
| Experiment Setup | Yes | We use ℓ -norm attack for both adversarial attack and adversarial training. We use ϵ = 0.1 for Colored MNIST and Rotated MNIST, and ϵ = 4/255 for VLCS, PACS, and Office Home; moreover, following [74, 75], we use PGD-10 to generate adversarial examples at the training stage and PGD-20 at the evaluation stage to avoid overfitting. The step size used to generate adversarial examples is set to be ϵ/4. |